MS02-021: An E-mail Editor Flaw Can Lead to Script Execution If You Reply or Forward a Message (321804)


The information in this article applies to:

  • Microsoft Outlook 2002
  • Microsoft Outlook 2000
  • Microsoft Word 2002
  • Microsoft Word 2000
This article was previously published under Q321804

SYMPTOMS

If you use Microsoft Word as your e-mail editor in Outlook 2000 and Outlook 2002 to create and edit messages in either the Outlook Rich Text format or in Hypertext Markup Language (HTML) format, there is a flaw that prevents Word from applying restrictive security settings that disallow scripts to be run if you reply or forward a message.

An attacker can exploit this vulnerability by sending a specifically malformed HTML message that contains a script to a Microsoft Outlook user who uses Word as their e-mail editor. The scripts can take any action on the system as if they were the user.

The attacker's actions are limited by any restrictions that govern the user's actions. Therefore, in an environment where accounts follow the rule of least privilege, the attacker may be significantly limited in the actions that their program can take.

Mitigating Factors

  • The vulnerability only affects Outlook users who use Word as their e-mail editor.
  • Users who have enabled the feature introduced in Microsoft Office XP SP1 to read HTML messages as plain text are not vulnerable.
  • For an attacker to successfully use this vulnerability, the user must reply to or forward the malicious message.

CAUSE

This problem can occur because of a flaw in how the WordMail editor handles scripting that is contained in HTML when a user replies to or forwards the message. In certain circumstances, the scripting is handled in an unsafe manner and is run without warning the user.

RESOLUTION

Outlook 2002

The patch for this problem is included in the "Word 2002 Update: April 25, 2002". For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

320441 WD2002: Overview of Word 2002 Update: April 25, 2002

The English-language version of this fix has the file attributes (or later) that are listed in the following table:
   Version          Size        File name     
   ----------------------------------------
   10.00.4009.0000  10,582,344  Winword.exe

Outlook 2000

The patch for this problem is included in the "Word 2000 Update: April 25, 2002". For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

320536 WD2000: Overview of Word 2000 Update: April 25, 2002

The English-language version of this fix has the file attributes (or later) that are listed in the following table:
   Version     Size       File name     
   ----------------------------------
   9.0.0.6328  8,814,644  Winword.exe

STATUS

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/ms02-021.asp

Modification Type:MajorLast Reviewed:11/26/2003
Keywords:kbbug kbfix kbOffice2000preSP3fix kbOfficeXPPreSP2fix kbQFE kbSecurity KB321804
©2003 Microsoft Corporation. All rights reserved.